If you understand how attackers are thinking, you can better prepare yourself, said Danny Jenkins, CEO and co-founder of cybersecurity company ThreatLocker, during his presentation at the Midsize Enterprise Summit IT Security 2024, hosted by MES Computing parent The Channel Company.
Jenkins has been in the IT security field for 20 years and has also been an ethical hackier. He spoke about the evolution of malware, why it's important to know how malware is created, and how to best lockdown networks from attacks like ransomware.
Malware's Evolution
Malware has been transformed since the 1990s, Jenkins said. "The way we typically stop malware is traditional antivirus -- essentially a list of all known bad programs somebody writes – gets put on a list. And then when that [program] tries to run on your machine, it gets blocked."
He said that type of antivirus security was effective at that time when malware was transited by floppy disks.
However, with the subsequent generation of malware, that type of security wasn't good enough any longer. Combating newer malware required going "beyond just looking at the file signature," Jenkins said.
"[We had to] start looking at what [the malware] was doing. So we'd take it, we'd sandbox it, we'd see the behavior of the file," he added. They would examine a suspicious file for specific conditions like was it missing try-catches or copyright permissions.
The early 2000s saw the security industry move to recurring pattern detection to fight malware, Jenkins said. If AV software sees a new instance of a file that's not been seen before and if there are a lot of instances in particular, there is a high probability that the file is viral, he explained.
The next evolutionary step in the fight against malware was to move beyond looking at files and start looking at endpoints.
"Let's look at the whole device and see if there's bad behaviors, not just bad files and that's where we really went into the EDR [endpoint detection and response] industry," he said.
Now, artificial intelligence has given threat actors a whole new arsenal with which to create malware. With AI, dangerous code has become more ubiquitous and more capable of wreaking unprecedented havoc. Those responsible for cybersecurity should know how malware is created and how AI plays into that.
How Malware Is Created
Up until recently, there were two main ways to create malware, Jenkins said. "One is, I'd go out to the internet, use the dark web, use regular internet search … you could download samples. There's lots of samples out there, there [are] companies that sell it," he said. The other way is "you'd write the code yourself."
Today, hackers can use AI to generate malware without even knowing how to code. Jenkins demonstrated two examples of malware code, one downloaded from Google, the other created by ChatGPT. The code was a reverse shell written in C#, a tool that hackers use to gain access to the command line on a machine.
At first, ChatGPT resisted generating the code Jenkins said, responding it was unethical to do so. But Jenkins got around that by telling the chatbot that he was a cybersecurity professional and ChatGPT created the code.
ChatGPT has since implemented some changes to make it harder to create malware code, but as Jenkins pointed out, there are other AI platforms available.
Jenkins also relayed an even more troubling scenario. When they tested the code downloaded from Google against several popular cybersecurity defense solutions, those solutions picked up the code as malware. Those solutions had seen that code before and were able to detect and respond.
Not so with the AI-generated code."Every time you hit ‘generate' [the AI chatbot] gives you a very unique and different version of the same program … creating different signatures, different structures" making that AI-built code, "much, much harder to detect," he said.
Another way malware gets created and distributed successfully is by appearing as legitimate signed code. Signed code is typically not red flagged by AV and EDR platforms because it's tracing back to the developer.
But is it?
Jenkins said bad actors can spin up businesses on yelp.com for instance, add a cell phone or burner phone number and then go to DigiCert to get a code sign certificate. Once they do, defense platforms may allow that code to execute because it was signed.
A third way malware gets spread is by having it talk to local servers. Jenkins said he is "amazed" by how much malware communicates directly back to servers in Russia. Smart hackers will get native servers in the U.S. to host their malware knowing that AV and EDR systems will red flag code communicating with servers in countries notorious for hacking.
Locking Down Your Environment Against Next-Gen Malware
Jenkins offered several tips for boosting security against latter-day threats like ransomware:
- Hold regular end-user training. Social engineering is the main way malware gets spread throughout an organization. He said that before a security training session at a school, "we emailed 60 teachers from [email protected] asking them for their password for an urgent system update," Jenkins said. A third of them responded with their passwords.
- Lockdown macro use. Macros, he said, are still successfully used to distribute malware.
- Keep machines updated and patched.
- Use firewalls on all devices.
- Don't run admin rights on machines.
- Employ zero trust – only allow users and services to access what they need. Limit access on the network to shares and other resources
- Windows environments should be using BitLocker. If someone accesses a device in your network and tries to reboot it in Safe Mode, they can't without a recovery key with BitLocker enabled. Jenkins said many ransomware cases involve someone rebooting into Safe Mode to bypass security software.
